This Edition’s Articles

Adversary Intel: From APTs to Ransomware Groups

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025
Source: Security Affairs
Fire Ant, a China-linked cyber group, is exploiting VMware and F5 vulnerabilities to access secure, segmented networks, according to Sygnia. They have targeted VMware ESXi and vCenter, using layered attacks to reach restricted systems. Read more.

Scattered Spider is running a VMware ESXi hacking spree
Source: BLEEPING COMPUTER
Scattered Spider hackers are targeting VMware ESXi hypervisors at U.S. companies in retail, airline, transportation, and insurance. They use social engineering, not software flaws, to bypass security. Read more.

Unmasking the new Chaos RaaS group attacks
Source: Cisco Talos
Cisco Talos IR recently observed Chaos, a new ransomware-as-a-service group, targeting businesses with spam, social engineering, and remote tools. Their attacks use fast, selective encryption and anti-analysis methods, making detection and recovery difficult. Read more.

Attack Surface Watch: Exploring Digital Risks

ToolShell: An all-you-can-eat buffet for threat actors
Source: We Live Security
Microsoft has confirmed that ToolShell, a set of zero-day vulnerabilities (CVE-2025-53770 & CVE-2025-53771), is being used to attack on-premises SharePoint servers. These attacks can let hackers access restricted systems and steal data. Read more.

Organizations Warned of Exploited PaperCut Flaw
Source: Security Week
CISA has warned about a security vulnerability (CVE-2023-2533) in PaperCut NG and MF print management products. This issue lets attackers change security settings or run code remotely. Read more.

Incident Radar: Breaches & Attacks

Microsoft probing whether cyber alert tipped off Chinese hackers
Source: The Straits Times
Microsoft is looking into whether a leak from its early alert system allowed hackers to exploit SharePoint flaws before they were fixed. The system is meant to help cyber-security experts fix issues early, but it may have led to global problems. Read more.

US Targets North Korea’s Illicit Funds: $15M Rewards Offered as American Woman Jailed in IT Worker Scam
Source: Security Week
An Arizona woman was sentenced for helping North Korean IT workers get jobs at over 300 US companies using stolen identities. She ran a laptop farm at home, helping generate $17M in illegal revenue. Read more.

Amazon AI coding agent hacked to inject data wiping commands
Source: BLEEPING COMPUTER
A hacker planted data-wiping code in the Amazon Q Developer Extension for Visual Studio Code. This free AI-powered tool, with nearly 1M installs, helps developers code and debug. Read more.

Threat Lab: Malware & Attack Analysis Deep Dive

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration.
Source: Cyfirma
Raven Stealer is a lightweight malware that targets browsers like Chrome and Edge, stealing passwords, cookies, and payment info. It uses Telegram bots for data theft and is easy for attackers to use. Read more.

Oyster Backdoor: The Malvertising Menace Masquerading as Popular Tools
Source: CyberProof
CyberProof Threat Researchers found an OysterBackdoor infection in July 2025. Attackers used a fake Putty installer, but the backdoor was blocked before any harm. This blog shares technical details about the files seen in this attack. Read more.